Debian DSA-1807-1 : cyrus-sasl2, cyrus-sasl2-heimdal - buffer overflow

high Nessus Plugin ID 39332

Synopsis

The remote Debian host is missing a security-related update.

Description

James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, a free library implementing the Simple Authentication and Security Layer, suffers from a missing null termination in certain situations. This causes several buffer overflows in situations where cyrus-sasl2 itself requires the string to be null terminated which can lead to denial of service or arbitrary code execution.

Important notice (Quoting from US-CERT): While this patch will fix currently vulnerable code, it can cause non-vulnerable existing code to break. Here's a function prototype from include/saslutil.h to clarify my explanation :

/* base64 encode * in -- input data * inlen -- input data length * out
-- output buffer (will be NUL terminated) * outmax -- max size of output buffer * result: * outlen -- gets actual length of output buffer (optional) * * Returns SASL_OK on success, SASL_BUFOVER if result won't fit */ LIBSASL_API int sasl_encode64(const char *in, unsigned inlen, char *out, unsigned outmax, unsigned *outlen);

Assume a scenario where calling code has been written in such a way that it calculates the exact size required for base64 encoding in advance, then allocates a buffer of that exact size, passing a pointer to the buffer into sasl_encode64() as *out. As long as this code does not anticipate that the buffer is NUL-terminated (does not call any string-handling functions like strlen(), for example) the code will work and it will not be vulnerable.

Once this patch is applied, that same code will break because sasl_encode64() will begin to return SASL_BUFOVER.

Solution

Upgrade the cyrus-sasl2/cyrus-sasl2-heimdal packages.

For the oldstable distribution (etch), this problem has been fixed in version 2.1.22.dfsg1-8+etch1 of cyrus-sasl2.

For the stable distribution (lenny), this problem has been fixed in version 2.1.22.dfsg1-23+lenny1 of cyrus-sasl2 and cyrus-sasl2-heimdal.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528749

https://www.debian.org/security/2009/dsa-1807

Plugin Details

Severity: High

ID: 39332

File Name: debian_DSA-1807.nasl

Version: 1.20

Type: local

Agent: unix

Published: 6/2/2009

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:cyrus-sasl2, p-cpe:/a:debian:debian_linux:cyrus-sasl2-heimdal, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 6/1/2009

Reference Information

CVE: CVE-2009-0688

CWE: 119

CERT: 238019

DSA: 1807